/usr/share/doc/ganeti/html/cluster-keys-replacement.html is in ganeti-doc 2.16.0~rc2-1build1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Cluster Keys Replacement — Ganeti 2.16.0~rc2 documentation</title>
<link rel="stylesheet" href="_static/style.css" type="text/css" />
<link rel="stylesheet" href="_static/pygments.css" type="text/css" />
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: './',
VERSION: '2.16.0~rc2',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true,
SOURCELINK_SUFFIX: '.txt'
};
</script>
<script type="text/javascript" src="_static/jquery.js"></script>
<script type="text/javascript" src="_static/underscore.js"></script>
<script type="text/javascript" src="_static/doctools.js"></script>
<link rel="search" title="Search" href="search.html" />
<link rel="next" title="Improving allocation efficiency by considering the total reserved memory" href="design-allocation-efficiency.html" />
<link rel="prev" title="Merging clusters" href="cluster-merge.html" />
</head>
<body>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="design-allocation-efficiency.html" title="Improving allocation efficiency by considering the total reserved memory"
accesskey="N">next</a></li>
<li class="right" >
<a href="cluster-merge.html" title="Merging clusters"
accesskey="P">previous</a> |</li>
<li class="nav-item nav-item-0"><a href="index.html">Ganeti 2.16.0~rc2 documentation</a> »</li>
</ul>
</div>
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body" role="main">
<div class="section" id="cluster-keys-replacement">
<h1>Cluster Keys Replacement<a class="headerlink" href="#cluster-keys-replacement" title="Permalink to this headline">¶</a></h1>
<p>Ganeti uses both SSL and SSH keys, and actively modifies the SSH keys
on the nodes. As result, in order to replace these keys, a few extra
steps need to be followed.</p>
<p>For an example when this could be needed, see the thread at
<a class="reference external" href="http://groups.google.com/group/ganeti/browse_thread/thread/30cc95102dc2123e">Regenerating SSL and SSH keys after the security bug in Debian’s
OpenSSL</a>.</p>
<p>Ganeti uses OpenSSL for encryption on the RPC layer and SSH for
executing commands. The SSL certificate is automatically generated
when the cluster is initialized and it’s copied to added nodes
automatically together with the master’s SSH host key.</p>
<p>Note that paths below may vary depending on your distribution. In
general, modifications should be done on the master node and then
distributed to all nodes of a cluster (possibly using a pendrive - but
don’t forget to use “shred” to remove files securely afterwards).</p>
<div class="section" id="replacing-ssl-keys">
<h2>Replacing SSL keys<a class="headerlink" href="#replacing-ssl-keys" title="Permalink to this headline">¶</a></h2>
<p>The cluster-wide SSL key is stored in <code class="docutils literal"><span class="pre">/var/lib/ganeti/server.pem</span></code>.
Besides that, since Ganeti 2.11, each node has an individual node
SSL key, which is stored in <code class="docutils literal"><span class="pre">/var/lib/ganeti/client.pem</span></code>. This
client certificate is signed by the cluster-wide SSL certificate.</p>
<p>To renew the individual node certificates, run this command:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">gnt</span><span class="o">-</span><span class="n">cluster</span> <span class="n">renew</span><span class="o">-</span><span class="n">crypto</span> <span class="o">--</span><span class="n">new</span><span class="o">-</span><span class="n">node</span><span class="o">-</span><span class="n">certificates</span>
</pre></div>
</div>
<p>Run the following command to generate a new cluster-wide certificate:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">gnt</span><span class="o">-</span><span class="n">cluster</span> <span class="n">renew</span><span class="o">-</span><span class="n">crypto</span> <span class="o">--</span><span class="n">new</span><span class="o">-</span><span class="n">cluster</span><span class="o">-</span><span class="n">certificate</span>
</pre></div>
</div>
<p>Note that this triggers both, the renewal of the cluster certificate
as well as the renewal of the individual node certificate. The reason
for this is that the node certificates are signed by the cluster
certificate and thus they need to be renewed and signed as soon as
the changes certificate changes. Therefore, the command above is
equivalent to:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">gnt</span><span class="o">-</span><span class="n">cluster</span> <span class="n">renew</span><span class="o">-</span><span class="n">crypto</span> <span class="o">--</span><span class="n">new</span><span class="o">-</span><span class="n">cluster</span><span class="o">-</span><span class="n">certificate</span> <span class="o">--</span><span class="n">new</span><span class="o">-</span><span class="n">node</span><span class="o">-</span><span class="n">certificates</span>
</pre></div>
</div>
<p>On older versions, which don’t have this command, use this instead:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">chmod</span> <span class="mi">0600</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">ganeti</span><span class="o">/</span><span class="n">server</span><span class="o">.</span><span class="n">pem</span> <span class="o">&&</span>
<span class="n">openssl</span> <span class="n">req</span> <span class="o">-</span><span class="n">new</span> <span class="o">-</span><span class="n">newkey</span> <span class="n">rsa</span><span class="p">:</span><span class="mi">1024</span> <span class="o">-</span><span class="n">days</span> <span class="mi">1825</span> <span class="o">-</span><span class="n">nodes</span> \
<span class="o">-</span><span class="n">x509</span> <span class="o">-</span><span class="n">keyout</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">ganeti</span><span class="o">/</span><span class="n">server</span><span class="o">.</span><span class="n">pem</span> \
<span class="o">-</span><span class="n">out</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">ganeti</span><span class="o">/</span><span class="n">server</span><span class="o">.</span><span class="n">pem</span> <span class="o">-</span><span class="n">batch</span> <span class="o">&&</span>
<span class="n">chmod</span> <span class="mi">0400</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">ganeti</span><span class="o">/</span><span class="n">server</span><span class="o">.</span><span class="n">pem</span> <span class="o">&&</span>
<span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">init</span><span class="o">.</span><span class="n">d</span><span class="o">/</span><span class="n">ganeti</span> <span class="n">restart</span>
<span class="n">gnt</span><span class="o">-</span><span class="n">cluster</span> <span class="n">copyfile</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">ganeti</span><span class="o">/</span><span class="n">server</span><span class="o">.</span><span class="n">pem</span>
<span class="n">gnt</span><span class="o">-</span><span class="n">cluster</span> <span class="n">command</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">init</span><span class="o">.</span><span class="n">d</span><span class="o">/</span><span class="n">ganeti</span> <span class="n">restart</span>
</pre></div>
</div>
<p>Note that older versions don’t have individual node certificates and thus
one does not have to handle the creation and distribution of them.</p>
</div>
<div class="section" id="replacing-ssh-keys">
<h2>Replacing SSH keys<a class="headerlink" href="#replacing-ssh-keys" title="Permalink to this headline">¶</a></h2>
<p>There are two sets of SSH keys in the cluster: the host keys (both DSA
and RSA, though Ganeti only uses the RSA one) and the root’s DSA key
(Ganeti uses DSA for historically reasons, in the future RSA will be
used).</p>
<div class="section" id="host-keys">
<h3>host keys<a class="headerlink" href="#host-keys" title="Permalink to this headline">¶</a></h3>
<p>These are the files named <code class="docutils literal"><span class="pre">/etc/ssh/ssh_host_*</span></code>. You need to
manually recreate them; it’s possibly that the startup script of
OpenSSH will generate them if they don’t exist, or that the package
system regenerates them.</p>
<p>Also make sure to copy the master’s SSH host keys to all other nodes.</p>
</div>
<div class="section" id="cluster-public-key-file">
<h3>cluster public key file<a class="headerlink" href="#cluster-public-key-file" title="Permalink to this headline">¶</a></h3>
<p>The new public rsa host key created in the previous step must be added
in two places:</p>
<ol class="arabic simple">
<li>known hosts file, <code class="docutils literal"><span class="pre">/var/lib/ganeti/known_hosts</span></code></li>
<li>cluster configuration file, <code class="docutils literal"><span class="pre">/var/lib/ganeti/config.data</span></code></li>
</ol>
<p>Edit these two files and update them with newly generated SSH host key
(in the previous step, take it from the
<code class="docutils literal"><span class="pre">/etc/ssh/ssh_host_rsa_key.pub</span></code>).</p>
<p>For the <code class="docutils literal"><span class="pre">config.data</span></code> file, please look for an entry named
<code class="docutils literal"><span class="pre">rsahostkeypub</span></code> and replace the value for it with the contents of
the <code class="docutils literal"><span class="pre">.pub</span></code> file. For the <code class="docutils literal"><span class="pre">known_hosts</span></code> file, you need to replace
the old key with the new one on each line (for each host).</p>
</div>
<div class="section" id="root-s-key">
<h3>root’s key<a class="headerlink" href="#root-s-key" title="Permalink to this headline">¶</a></h3>
<p>These are the files named <code class="docutils literal"><span class="pre">~root/.ssh/id_dsa*</span></code>.</p>
<p>Run this command to rebuild them:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">ssh</span><span class="o">-</span><span class="n">keygen</span> <span class="o">-</span><span class="n">t</span> <span class="n">dsa</span> <span class="o">-</span><span class="n">f</span> <span class="o">~</span><span class="n">root</span><span class="o">/.</span><span class="n">ssh</span><span class="o">/</span><span class="n">id_dsa</span> <span class="o">-</span><span class="n">q</span> <span class="o">-</span><span class="n">N</span> <span class="s2">""</span>
</pre></div>
</div>
</div>
<div class="section" id="root-s-authorized-keys">
<h3>root’s <code class="docutils literal"><span class="pre">authorized_keys</span></code><a class="headerlink" href="#root-s-authorized-keys" title="Permalink to this headline">¶</a></h3>
<p>This is the file named <code class="docutils literal"><span class="pre">~root/.ssh/authorized_keys</span></code>.</p>
<p>Edit file and update it with the newly generated root key, from the
<code class="docutils literal"><span class="pre">id_dsa.pub</span></code> file generated in the previous step.</p>
</div>
</div>
<div class="section" id="finish">
<h2>Finish<a class="headerlink" href="#finish" title="Permalink to this headline">¶</a></h2>
<p>In the end, the files mentioned above should be identical for all
nodes in a cluster. Also do not forget to run <code class="docutils literal"><span class="pre">gnt-cluster</span> <span class="pre">verify</span></code>.</p>
</div>
</div>
</div>
</div>
</div>
<div class="sphinxsidebar" role="navigation" aria-label="main navigation">
<div class="sphinxsidebarwrapper">
<h3><a href="index.html">Table Of Contents</a></h3>
<ul>
<li><a class="reference internal" href="#">Cluster Keys Replacement</a><ul>
<li><a class="reference internal" href="#replacing-ssl-keys">Replacing SSL keys</a></li>
<li><a class="reference internal" href="#replacing-ssh-keys">Replacing SSH keys</a><ul>
<li><a class="reference internal" href="#host-keys">host keys</a></li>
<li><a class="reference internal" href="#cluster-public-key-file">cluster public key file</a></li>
<li><a class="reference internal" href="#root-s-key">root’s key</a></li>
<li><a class="reference internal" href="#root-s-authorized-keys">root’s <code class="docutils literal"><span class="pre">authorized_keys</span></code></a></li>
</ul>
</li>
<li><a class="reference internal" href="#finish">Finish</a></li>
</ul>
</li>
</ul>
<h4>Previous topic</h4>
<p class="topless"><a href="cluster-merge.html"
title="previous chapter">Merging clusters</a></p>
<h4>Next topic</h4>
<p class="topless"><a href="design-allocation-efficiency.html"
title="next chapter">Improving allocation efficiency by considering the total reserved memory</a></p>
<div role="note" aria-label="source link">
<h3>This Page</h3>
<ul class="this-page-menu">
<li><a href="_sources/cluster-keys-replacement.rst.txt"
rel="nofollow">Show Source</a></li>
</ul>
</div>
<div id="searchbox" style="display: none" role="search">
<h3>Quick search</h3>
<form class="search" action="search.html" method="get">
<div><input type="text" name="q" /></div>
<div><input type="submit" value="Go" /></div>
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="design-allocation-efficiency.html" title="Improving allocation efficiency by considering the total reserved memory"
>next</a></li>
<li class="right" >
<a href="cluster-merge.html" title="Merging clusters"
>previous</a> |</li>
<li class="nav-item nav-item-0"><a href="index.html">Ganeti 2.16.0~rc2 documentation</a> »</li>
</ul>
</div>
<div class="footer" role="contentinfo">
© Copyright 2018, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015 Google Inc..
Created using <a href="http://sphinx-doc.org/">Sphinx</a> 1.6.7.
</div>
</body>
</html>
|